Enumeration Techniques

8/11/2019 Enumeration Techniques

1/21

GRAYTIPS CYBER TECHNOLOGIES CEH v8 DAY1 Module 04

Module 04 - Enumeration - Duration 1.45 Hrs

Enumeration Concepts

NetBIOS enumeration

SNM Enumeration !NI"#$inu% Enumeration

$D& Enumeration

N' Enumeration

SM' Enumeration

DNS Enumeration

Enumeration Counter Measures

Enumeration en 'estin(

Enumeration Concepts

What is Enumeration? Enumeration is defined as the process of extractinguser names, machine names, network resources, shares and services froma system.

In this phase attacker creates active connection to the system and performsdirected queries to gain more information about the target.

The gathered information is used to identify the vunerabiities or weakpoints in system security and tries to expoit in the !ystem gaining phase.

Enumeration techniques are conducted in an intranet environment.

')pes o* in*ormation enumerated +) intruders,

"etwork #esource and shares

$sers and %roups

#outing tabes

&uditing and !ervice settings

'achine names

&ppications and banners !"'( and )"! detais

'ecniues *or Enumeration

Extracting user names using emai I)*s

Extract information using the defaut password

+rute orce &ctive )irectory

1 Rev 1.0


2/21


Extract user names using !"'(

Extract user groups from Windows

Extract information using )"! -one transfer

Ser/ices and ort to Enumerate

T( /01 )"! -one transferT( 20/1 'icrosoft #( Endpoint 'apperT( 2031 "et+I4! "ame !erviceT( 2051 "et+I4! session !ervice 6!'+ over "et+I4!7T( 88/1 !'+ over T( 6)irect 9ost7$)( 2:21 !"'(T(;$)( 0


3/21


$sing these techniques the attacker can aunch two types of attack on theremote computer having "et+I4!. 9e can choose to read;write to a remotecomputer system depending on the avaiabiity of shares. &ternativey he

can aunch a denia of service.

Rev 1.0


4/21


4 Rev 1.0


5/21


N+tstat

)ispays "et+I4! over T(;I( 6"et+T7 protoco statistics, "et+I4! nametabes for both the oca computer and remote computers, and the "et+I4!name cache. "btstat aows a refresh of the "et+I4! name cache and thenames registered with Windows Internet "ame !ervice 6WI"!7. $sedwithout parameters, "btstat dispays hep.

DEMO1 n+tstat.e%e -a NetBIOS name o* a remote macineto getthe "et+I4! name tabe of a remote computer

n+tstat.e%e -cto dispay the contents of the "et+I4! name cache, thetabe of "et+I4! names and their resoved I( addresses.

NetBIOS enumeration 'ool,

!uper!can, 9yena, Winfingerprint,"et+I4! Enumerator

The n+tscanis by defaut instaed on backtrack but there is a version aswe for windows patforms. We can use the nbtscan in order to scan thewhoe network

Enumeratin( !ser &ccounts,

Enumerate S)stems !sin( De*ault ass2ords.

)evices ike switches, hub, routers and access points usuay comes withdefaut passwords

!ome appications are aso comes with defaut passwords configured

'ost users do not change these defaut passwords

&ttackers misuse this, they wi identify the device and recover the defautpasswords from sites ike 1 www.virus.org;defaut@passwords

SNM Enumeration

!"'( 6!impe "etwork 'anagement (rotoco7 is an appication ayerprotoco uses $)(

$sed to maintain and manage routers, hubs and switches on an I( network.

! Rev 1.0
http://www.virus.org/default_passwordshttp://www.virus.org/default_passwords


6/21


7/21


out of the 'I+ and then report the information back to the manager.

Communit) Strin(,

&n !"'( community string is a text string which acts as an authenticationtoken 6a password basicay7 between the management stations andnetwork devices on which !"'( agents are hosted.

ommunity !trings trave in cear text over the network, hence are subCectto network sniffing attacks. ommunity !trings are sent with every networkpacket exchanged between the node and management station.

or the management station to discover and manage network devices, thedevice needs to be !"'( enabed and the community string sent by the

"'! over the network shoud match the community string of the device.

&so, the firewa on the remote device shoud be configured to permit thetraffic, as firewas wi bock the !"'( traffic by defaut.

There are two different modes in which !"'( operates and both of thesemodes have different community strings1

1. 9ead onl)

This mode permits querying the device and reading the information, butdoes not permit any kind of changes to the configuration. The defautcommunity string for this mode is pubic.F

. 9ead :rite

In this mode, changes to the device are permitted hence if one connectswith this community string, we can even modify the remote deviceGsconfigurations. The defaut community string for this mode is private.F

2en te communit) strin(s are le*t at te de*ault settin(s;

attac6ers ta6e te opportunit) and *ind te loopoles in it. 'ente attac6er can uses tese de*ault pass2ords *or can(in( or

/ie2in( te con*i(uration o* te de/ice or s)stem.

Mana(ement In*ormation Base 7MIB8

2. 'I+ is a virtua database containing forma description of a the networkobCects that can be managed using !"'(.

>. The 'I+ database is hierarchica and each managed obCect in a 'I+ isaddressed through obCect identifiers 64I)7. The 4I) wi be represented

# Rev 1.0


8/21


by a decima notation. "umerica vaues representative of differentsettings.

0. 'I+ managed obCects incude scaar obCects that define a singe obCectinstance and tabuar obCects that define group of reated obCect

instances.8. The 4I) incudes the obCect*s type such as counter, string, or address

access eve such as read or read;write, siDe restrictions and rangeinformation.

/. !"'( manager uses the 'I+ as a codebook for transating the 4I)numbers into a humanHreadabe dispay.

SNM Enumeration 'ool

27 4p$tis "etwork 'onitoring Tooset H http1;;www.manageengine.com>7 !oarWinds 6 best !"'( enumeration too7 H www.soarwinds.com07 %etif !"'( 'I+ +rowser H http1;;www.wtcs.org87 4idiew !"'( 'I+ +rowser H http1;;www.oidview.com/7 i#easoning 'I+ +rowser H http1;;t2.ireasoning.com:7 !"!can H http1;;www.foundstone.com37 !"'( !canner H http1;;www.secureHbytes.com


9/21


4n the $nix side the inger utiity ets us discover information about systemusers.

!ystems running a finger daemon, which operate on T( port 35, wirespond to queries about currenty oggedHin users as we as informationrequests about specific users.

To insta finger1

aptHget insta fingeraptHget insta inetutisHinetd fingerdtype *ps ax L grep inetd L grep Hv grep* to see the process id M

finger Nhostname1 provides a ist of a users currenty ogged into

hostname

finger graytipsNhostname

9pcin*o

4ne of the most powerfu and dangerous services on $nix systemIt is a program that Taks to a portmapper on a system and retrieves a istof a of the #( services currenty running, their names and descriptions,

and the port they are using.

!ome popuar #( services are "! 6"etwork ie !ystem7 and "I!;O(6"etwork information !ervice or !un Oeow (ages7.

rpcinfo Pp hostname 1 ists a the #( services that have registered withthe portmapper.

rpcinfo Pu hostname programid QversionR1 make the #( ca and report ona response.

rpcinfo Pb programid version1 to find out any other machines on thenetwork are running a vunerabe #( service.

rpcinfo Pd programid version1 unHregister the programid;version withportmap

rpcinfo Pm hostname1 simiar to Pp except it dispays a tabe of statistics.

$ Rev 1.0


10/21


So2mount

The showmount command et us see what fie systems are avaiabe on aparticuar "! server.

showmount Pa hostname1 shows a the currenty mounted directories onthe "! server as we as the hostnames of the cients that have mountedthem

showmount Pd hostname1 )oes not ist the cient hostnames

showmount Pe hostname1 shows the mount point that are exported andavaiabe for mounting over "!

Enum4linu%H aows you to enumerate information from samba, as we aswindows

$D& Enumeration

What is =)&(?

The =ightweight )irectory &ccess (rotoco is a protoco used to accessdirectory istings within &ctive )irectory or from other )irectory !ervices. &directory is usuay compied in an hierarchica and ogica format, rather ikethe eves of management and empoyees in a company. =)&( tends to bebe tied into the )omain "ame !ystem to aow integrated quick ookups and

fast resoution of queries.=)&( generay runs on port 0


11/21


=)&( Exporer Too H http1;;daptoo.sourceforge.net

$D& Enumeration Countermeasures

1. $se "T=' or +asic authentication to imit access to known users ony2. +y defaut, =)&( traffic is transmitted unsecured use !!= technoogy

to encrypt the traffic3. !eect a username different from your emai address and enabe

account ockout

N' Enumeration

What is "T(?

The "etwork Time (rotoco is a protoco for synchroniDing time across yournetwork, this is especiay important when utiiDing )irectory !ervices. &s!'T(, "T( has been around for >J years. There exists a number of timeservers throughout the word that can be used to keep systems synced toeach other.

"T( utiiDes $)( port 2>0 as its primary means of communication

The data avaiabe when querying the ntp server can prove quite vauabeand is usuay avaiabe without any forma authentication being required.Through "T( enumeration you can gather information such as ists of hosts

connected to "T( server, I( addresses, system names, and 4!s running onthe cient system in a network. & this information can be enumerated byqueying "T( server.

The foowing commands can be used against an "T( server1

ntpdatentptracentpdcntpq

ntptrace H ntptrace determines where a "T( server gets its time from, andfoows the chain of "T( servers back to its primary i.e. master, time source.If you suppy no argument ntptrace wi start with the ocahost, if a serveris specified, the ocahost wi appear ast.

ntptrace QHvdnR QHr retries R QHt timeoutR Qservername;I(@addressR

ntpdc H ntpdc is used to query the ntpd daemon about its current state and

11 Rev 1.0
http://ldaptool.sourceforge.net/http://ldaptool.sourceforge.net/


12/21


to request changes in that state. The program may be run either ininteractive mode or controed using command ine arguments.

ntpdc QHinpsR QHc commandR Qhostname;I(@addressR

ntpq Hntpq is used to monitor "T( daemon ntpd operations and determineperformance.

ntpq QHinpR QHc commandR Qhost;I(@addressR

SM' Enumeration

What is !'T(?

The !impe 'ai Transport (rotoco has been around since the birth ofcomputing. !'T( is very simpe and is used to send emai messages asopposed to (4(0 or I'&( which can be used to both send and receivemessages. It is, as generay are a protocos defined by a distinct set ofrues 6#*s7 which govern how it works and shoud respond.!'T( generay reies on using 'ai Exchange 6'B7 servers to direct themai to via the )omain "ame !ervice, however, shoud an 'B server not bedetected, !'T( wi revert and try an & or aternativey !# records.

!'T( generay runs on port >/

+eing a simpe protoco, it is possibe to directy interact with !'T( via theuse of a tenet prompt

!'T( enumeration aows you to determine vaid users on the !'T( server.This is done with the hep buitHin !'T( commands, they are

#O H This command is used for vaidating usersEB(" H This command tes the acuta deivery address of aiases andmaiing ists.#(T T4 H It defines the teh recipients of the message.

Too1 "est!canToos (ro

SM' Enumeration Countermeasures

2. configure !'T( server either to ignore emai messages to unknownrecipients or to send responses that do not incude these types ofinformation1

12 Rev 1.0


13/21


a7 )etais of mai reay systems being used 6such as sendmai or '!Exchange7 b7 Interna I( address or host information

>. Ignore emais to unknown recipients by configuring !'T( servers.

DNS Enumeration

)"! enumeration is the process of ocating a the )"! servers and theircorresponding records for an organiDation.

& company may have both interna and externa )"! servers that can yiedinformation such as usernames, computer names, and I( addresses ofpotentia target systems.

There are a ot of toos that can be used to gain information for performing)"! enumeration. The exampes of too that can be used for )"!enumeration are nsookup, dnsstuff.

The ist of )"! record provides an overview of types of resource records6database records7 stored in the Done fies of the )omain "ame !ystem6)"!7. The )"! impements a distributed, hierarchica, and redundantdatabase for information associated with Internet domain names andaddresses. In these domain servers, different record types are used fordifferent purposes. The foowing ist describes the common )"! record

types and their use1

& 6address7U'aps a host name to an I( address!4& 6!tart of &uthority7UIdentifies the )"! server responsibe for thedomain information"&'E 6canonica name7U(rovides additiona names or aiases for theaddress record'B 6mai exchange7UIdentifies the mai server for the domain!# 6service7UIdentifies services such as directory services(T# 6pointer7U'aps I( addresses to host names"! 6name server7UIdentifies other name servers for the domain

)"! -one Transfer is typicay used to repicate )"! data across a numberof )"! servers, or to back up )"! fies. & user or server wi perform aspecific Done transfer request from a Vname server. If the name serveraows Done transfers to occur, a the )"! names and I( addresses hostedby the name server wi be returned in humanHreadabe &!II text.

1 Rev 1.0


14/21


DEMO, =onetrans*er.me

Too1 nsookup, matego

.;fierce.p Hdns Donetransfer.me

dig Nns Donetransfer.me axfr

DNSenum - is a too that it was designed with the purpose of enumerating)"! information about a domain.

The program currenty performs the foowing operations1

2. %et the host*s addresse 6& record7.>. %et the namservers 6threaded7.

0. %et the 'B record 6threaded7.

8. (erform axfr queries on nameservers and get +I") versions6threaded7.

/. %et extra names and subdomains via googe scraping 6googe query Kainur1 Hwww site1domainK7.

:. +rute force subdomains from fie, can aso perform recursion onsubdomain that have "! records 6a threaded7.

3. acuate cass domain network ranges and perform whois queries onthem 6threaded7.


15/21


ommand )escription 1

X .;dnsmap certifiedhacker.com

This command has buit in word ist which tries to find sub domain usingbrute force mechanism. This command uses ot of time consumption forfinding the sub domain.

X .;dnsmap certifiedhacker.com Hw subdomains.txt

This command uses the customiDed word ist and brute forces the subdomain. The time consumed for this command is very ess when comparedto previous one.

X .;dnsmap certifiedhacker.com Hw subdomains.txt Hr ;tmp;

&fter the execution of the command the resut wi be saved to ;tmp;directory. This may be varied from your directory ocation.

X .;dnsmap certifiedhacker.com Hw subdomains.txt Hr ;tmp; Hs /JJ

9ere we are doing the same operation with an addition functionaity. 9erewe are sending random requests of 0J miiseconds. &nd we can asochange the request time depending on the requirement.

dnsreconH The types of enumeration that performs incude the foowing1 -one Transfer

#everse =ookup

)omain and 9ost +ruteHorce

!tandard #ecord Enumeration 6widcard,!4&,'B,&,TBT etc.7

ache !nooping

-one Waking

%ooge =ookup

e.g1 dnsrecon Hd certifiedhacker.com

dnsrecon Hd YdomainX Ht axfr H Donetransferdnsrecon Hr YstartI(HendI(X H reverse ookupdnsrecon Hd certifiedhacker.com H) subdomains.txt Ht brt H domain bruteforcednsrecon Ht snoop Hn !ever H) Y)ictX H cache snoopingdnsrecon Hd certifiedhacker.com Ht Donewak H Done waking

Dnstracerdetermines where a given )omain "ame !erver 6)"!7 gets itsinformation from, and foows the chain of )"! servers back to the serverswhich know the data.

1! Rev 1.0


16/21


9ow )oes )"!tracer work?

It sends the specified nameHserver a nonHrecursive request for the name.

"onHrecursive means1 if the nameHserver knows it, it wi return the data

requested. If the nameHserver doesn*t know it, it wi return pointers tonameHservers that are authoritative for the domain part in the name or itwi return the addresses of the root nameHservers.

If the name server does returns an authoritative answer for the name, thenext server is queried. If it returns an nonHauthoritative answer for thename, the name servers in the authority records wi be queried.

The program stops if a nameHservers are queried. 'ake sure the serveryou*re querying doesn*t do forwarding towards other servers, as dnstracer isnot abe to detect this for you. It detects so caed ame servers, which arenameHservers which has been tod to have information about a certain

domain, but don*t have this information.

http1;;www.mavetCu.org;unix;dnstracer.php

dnstracer Hc http1;;www.certifiedhacker.com

Dns2al6is a )"! debugger. It performs Done transfers ofspecifieddomains, and checks the database in numerous ways forinternaconsistency, as we as accuracy. dnswak is not for the faint of

heart. It shoud "4T be used without a firm knowedge of the )"! #*s.The warnings and errors must be interpreted within the context they arebeing used. !omething may be fagged as a warning, but in reaity it is areay bad error. onversey dnswak wi fag things as warnings andpossiby even errors, but they may actuay be perfecty KegaK or norma inyour specific situation. dnswak is not an &I engine. It Cust provides usefuinformation which you need to interpret. If you use this too for cracking orotherwise evi purposes, the author hereby considers you a simeHba.

dnswak Hfradm Donetransfer.me.

!9$cra=)is for researching domainname misspeings. It generatesdomainname typo permutations then tests each of them to earn if they arein use, estimate their popuarity and more.

e.g1urcraDy www.certifiedhacker.com

DNS Enumeration Countermeasures

1" Rev 1.0
http://www.mavetju.org/unix/dnstracer.phphttp://www.mavetju.org/unix/dnstracer.php


17/21


2. onfigure a name servers to disaow the )"! Done transfers tountrusted hosts

>. Ensure that nonpubic hostnames are not referenced to I( addresses

within the )"! Done fies of pubicy accessibe )"! servers0. Ensure that 9I"4 and other record do not appear in )"! Done fies4. (rovide standard network administration contact detais in "etwork

Information enter databases to prevent socia engineering and wardiaing attacks

Enumeration Counter Measures

Enumeration en 'estin(

DEMO,

1. NetBIOS Enumeration ,

nbtstat.exe Ha Y"et+I4! name of a remote machineX toget the "et+I4! name tabe of a remote computer

nbtstat.exe Hc to dispay the contents of the "et+I4! name cache,the tabe of "et+I4! names and their resoved I( addresses.

"et+I4! enumeration Too1

SuperScan 7*ree8, H)ena, :in*in(erprint 7*ree8, "et+I4! Enumerator 6free7

. SNM Enumeration

2. Enabing !"'( on windows >JJ. Extracting !"'( detais from $buntu (0. 4p$tis8. !oarWind*s I( "etwork +rowser/. snmpwak Hc pubic 25>.2:.282 Hv 2 P Zai:. onesixtyone Hi ;root;works;target.txt Hc ;root;works;password.txt

P in kai3. snmpset Hc Y#W communityX

Yrouter hostname;I(X.2.0.:.2.8.2.5.>.2.//.YTT( I( octet2X.Yoctet>X.Yoctet 0X.Yoctet 8X string Ypath;fie on TT( server to save fie toX

e.(. snmpset -c pass2ord 1>[email protected] .1.3.?.1.4.1.>..1.55.1>[email protected] s con*

enabe snmp with pubic string in windows >JJ0

1# Rev 1.0


18/21


snmpwak Hc pubic Hv2 Yip addressX 2snmpwak Hc pubic Hv2 25>.2:.285 !"'(v>H'I+11sys)escr.J

!nmpcheck runs through the !"'(Gs 'I+ retrieving the information storedand dispaying the same in a user friendy manner which coud be read by aayman.

snmpcheck Ht 25>.2:.> Hc pubic X out.txt

3. !NI"#$inu% Enumeration

1.


19/21


showmount Pe hostname1 shows the mount point that are exportedand avaiabe for mounting over "!

Enum4linu%H aows you to enumerate information from samba, as

we as windows

In $buntu 1 .;enum8inux.p Hu &dministrator Hp graytops Hr 25>.2:.2J

4. $D& Enumeration

5. N' Enumeration

ntpdatentptracentpdcntpq

ntptrace H ntptrace determines where a "T( server gets its time from, andfoows the chain of "T( servers back to its primary i.e. master, time source.If you suppy no argument ntptrace wi start with the ocahost, if a serveris specified, the ocahost wi appear ast.

ntptrace QHvdnR QHr retries R QHt timeoutR Qservername;I(@addressR

ntpdc H ntpdc is used to query the ntpd daemon about its current state and

to request changes in that state. The program may be run either ininteractive mode or controed using command ine arguments.

ntpdc QHinpsR QHc commandR Qhostname;I(@addressR

ntpq Hntpq is used to monitor "T( daemon ntpd operations and determineperformance.

ntpq QHinpR QHc commandR Qhost;I(@addressR

?. SM' Enumeration

username enumeration via the EB(" and #O commands if thesecommands have not been disabed by the system administrator.

2. "et!canToos (ro>. smtpHuserHenum H' #O H$ users.txt Ht >J>.3/./8.2J2 P in kai0. nmap HHscript smtpHenumHusers.nse >J>.3/./8.2J2 P in kai4. !W&Z! P in Zai H http://www.jetmore.org/john/code/swaks/

1$ Rev 1.0
http://www.jetmore.org/john/code/swaks/http://www.jetmore.org/john/code/swaks/


20/21


setup the mai server on ubuntu1http1;;bog.Cambura.com;>J2>;J>;J>;maiHserverHinstaationHonHubuntu;

https1;;hep.ubuntu.com;community;)ovecothttp1;;www.suburbancomputer.com;[email protected]

apt-get install dovecot-imapd dovecot-pop3d dovecot-commonsudo ;etc;init.d;dovecot startps H& L grep dovecottenet ocahost pop0tenet ocahost imap>

A. DNS Enumeration

Too1 nsookup, matego

fierce Hdns Donetransfer.me

If the )"! server does not aow Done transfers, ierce can +e

con*i(ured to +rute *orce ost names on a DNS ser/er

Domain In*ormation roper6)I%7 Hdig Nns Donetransfer.me axfrdig Ht ns Donetransfer.me H forcing to use authoritative name server

dig axfr Nns2>.Doneedit.com Donetransfer.me

dnsenum certifiedhacker.comdnsenum Penum certifiedhacker.comdnsenum Hf subdomains.txt certifiedhacker.comdnsenum HHenum Hf subdomains.txt HHupdate a Hr certifiedhacker.comdnsenum Hf ;usr;share;dnsenum;dns.txt certifiedhacker.com

dnsmap

20 Rev 1.0
http://blog.jambura.com/2012/02/02/mail-server-installation-on-ubuntu/https://help.ubuntu.com/community/Dovecothttp://blog.jambura.com/2012/02/02/mail-server-installation-on-ubuntu/https://help.ubuntu.com/community/Dovecot


21/21


dnsrecondnstracerdnswakurcraDy

S&M9D!M

!amrdump is used to retrieved information about the target using!&' 6 !ecurity &ccount 'anager7.

It ists out the a the domains , shares , user accounts, and otherinformation .

python samrdump.py %rayab;shafeeque1graytopsMN25>.2:.>

SMBClient

This program is part of the !amba suite.

smbcient is a cient that can *tak* to a =an 'anager server.

It offers an interface simiar to that of the ftp program .

4perations incude things ike getting fies from the server to the

oca machine, putting fies from the oca machine to the server,retrieving directory information from the server and so on.

smbcient H= 25>.2:.2> H$ &dministrator Hp 205

smbcient ;;25>.2:.>;[ H$ &dministrator Hp 205

&fter getting the prompt1 put the foowing comments

? H it wi ist the avaiabe comments, pay with each comments.
mailto:gray123#@192.168.2.2mailto:gray123#@192.168.2.2

Date post:	02-Jun-2018
Category:	Documents
Upload:	shafeeque-olassery-kunnikkal
View:	235 times
Download:	0 times

Enumeration Techniques

Documents